Ozone provides an S3-compatible REST interface through Ozone2 S3 Gateway to use the object store data with any S3-compatible tools.
Although Ozone2 S3 Gateway is an addition to the regular Ozone2 components, in Acceldata’s ODP mpack, Ozone2 S3 Gateway is installed and started as part of the Ozone2 service. S3 buckets are stored under the /s3v volume.
Prerequisites
To use an S3 endpoint, configuring access key and secret for AWS-compatible tools is required. Here, taking the example of awscli.
- Generate Access Key and Secret for AWS: If security is not enabled, you can use any AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. If security is enabled, you can get the key and the secret with the
ozone2 s3 getsecretcommand (Kerberos-based authentication is required)
xxxxxxxxxx# If security is not enabled :Nothing required. Use any AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. # Secure Ozone2 (kerberos enabled)$ kinit -kt /etc/security/keytabs/ozone.s3g.service.keytab <principal>$ ozone2 --config /etc/ozone2/conf/ozone.s3g s3 getsecret --om-service-id=omserviceawsAccessKey=<principal>awsSecret=<new-s3user-secret-key>isDeleted=falsetransactionLogIndex=0- Export these credentials on your S3 endpoint. Here, I’m updating the credentials as a new profile.
xxxxxxxxxx# If security is not enabled :$ aws configure AWS Access Key ID [None]: <your-aws-access-ID> AWS Secret Access Key [None]: <your-aws-secret-key> Default region name [None]: <region>Default output format [None]: # Secure Ozone, use credentials from previous step.$ aws configure AWS Access Key ID [None]: <awsAccessKey> AWS Secret Access Key [None]: <awsSecret>Default region name [None]: <region>Default output format [None]:Alternatively, you may create a new profile with ozone related credentials and use ozone profile to run
S3 utility tasks on awscli.
xxxxxxxxxx$ vi /root/.aws/credentials[default]aws_access_key_id = <aws_generated_access_key>aws_secret_access_key = <aws_generated_secret> [ozone]aws_access_key_id = <awsAccessKey>aws_secret_access_key = <awsSecret>- Verify your S3 endpoint from S3 Gateway UI.
Starting in Ozone 2.1.0, the secret will be shown only once when generated with getsecret. If the secret is lost, the user would have to revokesecret first before regenerating a new secret with getsecret.
Ozone2 S3 Gateway to work with AWS CLI
Ozone S3 Gateway supports various bucket and object operations that the Amazon S3 API provides. Amazon Web Services (AWS) command-line interface (CLI) is one such utility tool, used to interact with S3 Gateway and work with various Ozone storage elements.
Examples of using AWS CLI for Ozone S3 Gateway :
- Create new bucket
xxxxxxxxxx$ aws s3api --endpoint http://odp01.ubuntu.ce:9878 create-bucket --bucket=word OR (depending on how credentials were set up)$ aws s3 ls --endpoint http://odp01.ubuntu.ce:9878 s3://word --profile ozone- Upload key to new bucket
xxxxxxxxxx# Create local file/key to upload on awscat /root/awstpo.txt Hi user,aws file!xxxxxxxxxxaws s3 cp --endpoint http://odp01.ubuntu.ce:9878 /root/awstpo.txt s3://wordcount/- Confirm key upload
xxxxxxxxxxaws s3 ls --endpoint http://odp01.ubuntu.ce:9878 s3://wordcount/ 2024-04-16 12:20:20 19 awstpo.txt- Verify file content through ozone
# Incase bucket is FSO typeozone2 --config /etc/ozone2/conf/ozone.om fs -cat ofs://omservice/s3v/awstestbuck/awstpo.txt # output : 24/04/16 12:22:43 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable24/04/16 12:22:45 WARN impl.MetricsConfig: Cannot locate configuration: tried hadoop-metrics2-xceiverclientmetrics.properties,hadoop-metrics2.properties24/04/16 12:22:45 INFO impl.MetricsSystemImpl: Scheduled Metric snapshot period at 10 second(s).24/04/16 12:22:45 INFO impl.MetricsSystemImpl: XceiverClientMetrics metrics system startedHi user,aws file!SSL enabled Ozone2 S3 Gateway to work with AWS CLI
In case of SSL-enabled Ozone, S3 Gateway has https endpoint. Python SSL supported with AWS CLI honors certificates in the PEM format. Hence, convert your CA certificate to PEM if using any other format, on all required client nodes.
xxxxxxxxxx# Validate keystore with required CA certkeytool -list -v -keystore <ssl.client.truststore.location> # Export CA cert to truststore and PEM formatkeytool -export -alias <alias> -file <s3g-ca.crt> -keystore <ssl.client.truststore.location>openssl x509 -inform DER -outform PEM -in <s3g-ca.crt> -out /path/to/s3gca.pem # Configure aws credentials as per steps in prerequisite.aws configurePass the certificate in PEM file format to the aws s3api commands to perform S3 utility tasks. For example :
- Create new bucket
aws --debug s3api --endpoint https://odp01.ubuntu.ce:9879 --ca-bundle "/tpo/attempt2/ca-cert.pem" create-bucket --bucket=word- Upload key to new bucket
xxxxxxxxxx# Create local file/key to upload on awscat /root/awstpo.txt Hi user,aws file!aws s3 cp --endpoint https://odp01.ubuntu.ce:9879 /root/awstpo.txt s3://wordcount/ --ca-bundle "/tpo/attempt2/ca-cert.pem"- Confirm key upload
xxxxxxxxxxaws s3 ls --endpoint https://odp01.ubuntu.ce:9879 s3://wordcount/ --ca-bundle "/tpo/attempt2/ca-cert.pem"2024-04-16 12:20:20 19 awstpo.txt- Verify file content through ozone
cd /usr/odp/3.3.6.2-104/ozone2/bin./ozone2 --config /etc/ozone2/conf/ozone.om fs -cat ofs://omservice/s3v/awstestbuck/awstpo.txt # output : 24/04/16 12:22:43 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable24/04/16 12:22:45 WARN impl.MetricsConfig: Cannot locate configuration: tried hadoop-metrics2-xceiverclientmetrics.properties,hadoop-metrics2.properties24/04/16 12:22:45 INFO impl.MetricsSystemImpl: Scheduled Metric snapshot period at 10 second(s).24/04/16 12:22:45 INFO impl.MetricsSystemImpl: XceiverClientMetrics metrics system startedHi user,aws file!Revoke access to the generated AWS credentials
Revoke access to AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_ KEY once your use case is completed.
ozone2 --config /etc/ozone2/conf/ozone.s3g s3 revokesecret24/03/08 18:19:29 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable24/03/08 18:19:31 INFO client.ClientTrustManager: Loading certificates for client.Enter 'y' to confirm S3 secret revocation for 's3g/odp01.ha.ubuntu.ce@ADSRE.COM': yS3 secret revoke